The global site of the UK's leading magazine for automation, motion engineering and power transmission
16 January, 2021

Servodrives can simplify functional safety

07 January, 2021

The IEC 61508 functional safety standard has made life much easier for machine-builders, as well as for end-users. The result, as Rami Simany, application engineering technology manager at Elmo Motion Control explains, has been safer, smarter, smaller, simpler and better-performing machines.

Machine safety has evolved significantly since the 1990s, with the release of the functional safety standard IEC 61508 in 1998 marking a turning point for machine-builders and end-users. With a standardised safety concept, equipment suppliers and machine-builders could instil confidence in their customers that their safety systems had been tested and vetted rigorously, and users no longer had to spend time and resources analysing the risk of a machine or system failure.

The introduction of functional safety and the related standards has also (almost) freed machine-builders from the task of safety designing, as well as the need to purchase, install and connect banks of hardware – such as safety contactors, relays, switches, IOs and brake controllers – as well the exhausting process of machine safety assessments and approval processes.

Previously, safe machine operation was achieved using relays that cut power if a safety condition was violated – such as an operator entering an enclosure or breaking a light curtain. Functional safety has replaced hardware and the costly approvals process by software. The end result is not only truly “functional” safety, but also increased uptime, better productivity, and reduced scrap for end-users.

Unlike traditional hardware-based safety systems, functional safety relies on safety-rated components. The main difference is that instead of using lots of safety components, much of it can be integrated into a servodrive, for example. The ultimate goal is to is replace most of the safety hardware by software such as Failsafe over EtherCat (FSoE). Some hardware is still needed – such as safety brakes, IO and encoders – to control the operating parameters of the equipment.

Rather than cutting power instantly to an axis if a safety parameter is violated, functional safety systems restrict the motion of the axis. This allows the system to handle a fault while maintaining a predefined safety level and informing the user through self-diagnosis and automated alerts.

 Monitor and respond

Drive-based safety functions cover a wide range of tasks, from safely stopping the drive, to monitoring motion parameters such as speed, position, or torque. Safety functions integrated into some servodrives include:

• Safe Torque Off (STO). This removes power to the motor. The shaft continues to freewheel without applying any torque until the kinetic energy runs down. The drive remains energised for faster restart. STO can be activated either by two hardware signals or by FSoE communication.

• Safe Stop 1 (SS1). Active braking brings the shaft to a rapid, controlled stop so that the axis stops turning. At this point, STO is invoked. SS1 is used where motion of an axis could endanger people or equipment.

• Safe Operating Stop (SOS). The drive holds the motor at zero speed without removing torque. Equipment can restart immediately without a reset.

Elmo’s latest Platinum servodrives incorporate comprehensive safety functions while reducing the number of safety components needed, as well as power consumption, complexity, and machine costs.

• Safe Stop 2 (SS2). Controlled braking brings high-kinetic-energy equipment to a controlled stop, at which point, SOS is invoked. It is used when additional motion could be hazardous for people, products or equipment.

• Safe Brake Control (SBC). This provides safe control of an external power-off brake, and is generally used on vertical axes. If a redundant braking system fails, the drive typically invokes SOS.

• Safely Limited Speed (SLS). This sets a maximum speed. If a fault causes the system to exceed a threshold value, the drive brings the axis to a safe state.

• Safely Limited Torque (SLT). This restricts motor torque by limiting the current supplied by the drive.

• Safely Limited Position (SLP). This limits the envelope within which a load can move by monitoring its position via encoder feedback. If this reports the load has moved beyond the allowed envelope, it is stopped using SS1/STO or SS2/SOS. The rapid response of these functions minimises the margin of safety around the equipment.

• Safe Input/Output. For servodrives with Safe I/O (such as Elmo’s Platinum series), two types of digital safe inputs are supported – digital input with test pulse output for diagnostics, and digital input with OSSD (output signal switching device) for light barriers, light curtains and so on. The safe brake output is to SIL3. Safe input logic is similar to FSoE control, and safe output logic is similar to FSoE status.

Functional safety requires a communications network based on a safety-rated protocol, which includes self-checking. If it detects corrupted data or a communication fault, the axis will fail to a known safe state. FSoE uses a TÜV -certified safety network and is especially beneficial in applications such as robots, because it needs only one cable for safety, minimising the amount of space required inside the robot arm.


For a more detailed version of this article please visit Elmo Motion Control.

  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here



Drives Show 2022The next Drives & Controls Exhibition and Conference will take place in Birmingham, UK, from 5-7 April, 2022. For more information on the event, visit the Show Web site


"Do you think that robots create or destroy jobs?"



Most Read Articles